Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! ΞΞ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub ΞΞ We've updated our CA certificate. All members need to be using the latest ones by Dec 22. See this page for more infoΞ

Note from df: the configs here are likely outdated. the most current ones are always on cryptostorm's github{direct link: cryptostorm.org/android}UPDATED:04/03/2016*** Everything is working, download new conf's files ***

This tutorial will work out-of-the-box by following the steps below, but you can complement it with this earlier howto if necessary (all credit to @Graze for doing the original post.)

2) Download and send to your smartphone the OpenVPN config file with the server you want, for the purpose of this tutorial we will use "USCentral-mishigami.ovpn" from github.com

SIDE NOTE: If you change the name "USCentral-mishigami.ovpn" to "whatever.ovpn" the "Profile Name" in the OpenVPN application will acquire that name

3) Open OpenVPN and click "Folder" icon from the right side corner of the screen, this is your "Import Configuration File", just navigate with the file explorer to the directory where you have "USCentral-mishigami.ovpn" and click "Select". The "Import Log" will tell you that it was successfully imported. IMPORTANT: Click the "Disk" button from the bottom right screen side or it will not save in the app.

4) Open OpenVPN app and if you do not see the "USCentral-mishigami" connection just go to "Settings" and then go back to "Profiles".4.1) Select the "USCentral-mishigami" and it will ask you for a Username/Password, so this is the most tricky part:4.2) You'll want to take your token and (on your phone) put it in here and calculate the SHA512 hash.4.3) Take that SHA512 and use it as your Username (NOT password!!!)... Paste it in there. (If you have problems pasting on your device for whatever reason, I ended up picking up a free app called EZ Copy&Paste, which allowed me to shove my SHA512 in there and I am suddenly wondering how I lived without it... Anyway....)4.4) Enter a password. Can be anything. Cannot be left blank (it complains about that later if you do...)

And that's it, you're good to go! This OpenVPN config file will work with ALL rooted & NON rooted smartphones Android 4.2 and up.

Hope this makes Android lovers like me, a little bit more happy

Last edited by Tealc on Thu Jul 30, 2015 10:58 pm, edited 24 times in total.

------------------------My avatar is pretty much what I look like. <-- ...actually true, says pjWebMonkey, Foilhat, cstorm evangelnomitron. Twitter: @grazestorm. For any time sensitive help requests, best to email the fine bots in support@cryptostorm.is or via Bitmessage at BM-NBjJaLNBwWiwZeQF5BMLYqarawbgycwJ

acid1c wrote:I would suggest using Fdroid or the devs self compiled copies of Openvpn for android https://plai.de/android/

Also he has an xposed module to auto accept to avoid that check box and ok confirmation.

@Tealc if you mean developing a CS android app, I would be for it.

Hi there, and thank you for your reply So I'm using AFwall+ just like the tutorial you posted It's just great.

It's been 3 months that I've used Titanium BackUP Pro to remove all the Play Store ties, I really don't like all the snooping around of 99.9% of the apps

In this OpenVPN matter, I've also went with your "xposed module" and now, no more annoying pop-ups saying something about security, I'm going to install the "Android Revolution HD 61.1" for my HTC ONE and with that I'm going to try and cut the maximum on Google Services, let's see what happens?!

For the Cryptostorm VPN app I really think that this would be a plus, since it would make everything much easier, nevertheless we are actually very fortunate since at least we got it working, there are some iOS users that can't say the same thing (maybe you should change to android?)

SWEET! So happy to have this! I'm going to go buy an additional token for my phone... RIGHT NOW. Can't even wait for the reduced pricing anymore, I want this on my phone and laptop simultaneously right now!

I used afwall+ in the past, but it did not work at all for mobile data. It worked fine for blocking stuff through wifi, but did zero nothing nada for mobile data. If I set it to route everything through the vpn connection, will that fix this issue, even when the vpn is connected over mobile data connection?

And I for one would LOVE an android app. Would definietly give CS users a little easier way to connect and might even convince them to buy more tokens $$$$

Thanks everyone for making this updated thread.

Last edited by Jarmer on Wed Apr 02, 2014 8:37 pm, edited 1 time in total.

down a little it has a link for connecting via android that is set to go to android.cryptostorm.org and then redirects to the old locked android topic. Can you please update that to point to here instead?

Done...

... and huge thanks for noticing and taking the time to point it out, by the way. That's the sort of stuff that would frustrate many a new user.

------------------------My avatar is pretty much what I look like. <-- ...actually true, says pjWebMonkey, Foilhat, cstorm evangelnomitron. Twitter: @grazestorm. For any time sensitive help requests, best to email the fine bots in support@cryptostorm.is or via Bitmessage at BM-NBjJaLNBwWiwZeQF5BMLYqarawbgycwJ

And Tealc, wohoo!! it works!! Running on the Montreal node right now, and when I connect it gives me the message about the protected socket, and then a warning about saving passwords (lol since the pw doesn't even do anything anyway) and then that's it! So it appears whatever you did with the config worked, and now I'm running fine.

I do have a couple general questions about messages I've seen in the log, I don't *think* they are issues, I just don't know what they mean and was hoping you could help me out.

There are two attached screenshots of the log. On the "deletingroutes" screenshot, I get those messages about deleting the routes when I disconnect and reconnect, is that normal?

On the other, about the ipv4/ipv6 protocol, I woke up this morning and the VPN was disconnected and frozen/hung at the "resolving host names" status, and I had to quit and restart the app to fix it, and it had the messages about the protocol underneath. Any ideas on this one? I'm taking a wild guess and think that maybe it's due to low cell network signal? My bedroom has really low service, so if the cell connection was unstable/dropped off or something like that would it do that?

Again, thanks SO MUCH for this thread and all the help with people like me!!

Jarmer wrote:On the "deletingroutes" screenshot, I get those messages about deleting the routes when I disconnect and reconnect, is that normal?

Yeah the "deleting routes" error is common with this configuration since android doesn't support deleting the default routes. But if you check, that only happens when you disconnect and reconnect, but by default every time you disconnect the VPN android will input the default android routes, that's what he is trying to erase not the routes from cryptostorm, but the main purpose here is that the routes got replace, I actually don't care if they didn't get deleted. (Did that make sense? It's actually not very easy to explain this, since english isn't my mother language)

Jarmer wrote:On the other, about the ipv4/ipv6 protocol, I woke up this morning and the VPN was disconnected and frozen/hung at the "resolving host names" status

So that means that maybe you didn't have internet access ALL the time, and the OpenVPN time-out, you can solve this by adding "ping 10" to the Custom Options in the profile that you want to change, there is already a thread here that talks about this, I don't add it by default since MANY android devices disconnect from the internet when the screen is off (if not the battery will last only 6 hours?).

Sounds good on the routes, I gotcha, I thought it wasn't an error so that's good to hear an explanation.

And yeah, I'd guess internet dropped out a couple times overnight where the connection is spotty in the bedroom, so then the VPN couldn't reconnect. I'll keep my eye on this, but I don't think I want to add the ping thing since it's working fine right now as long as I don't have a super spotty connection. Mine doesn't look like it's disconnecting at all when the screen's off. It also doesn't look like it's using much battery. Loving this connection so far!!!

Looks like I jumped the gun here...4.4.3 is kicking up a lot of fuss from what I read in relation to OpenVPN, both on code.google.com pages and various OpenVPN forums/comment feeds. Even some app developers on Google Play have been burned by the very company some of them work side by side with. It doesn't look like Google gives a toss for OpenVPN compatibility. I wanted to keep 4.4.3, so I set up my phone to dual boot and made the 2nd ROM a 4.4.2, which loves OpenVPN for Android... sorry for the posts!

openvpn seems to be working fine for me on 4.4.3, on a Nexus 4.I'd like to load Cyanogenmod, but I'm hooked on Google apps... I'm going to have to cut the apron strings, maybe a project for the weekend

marzametal wrote:Looks like I jumped the gun here...4.4.3 is kicking up a lot of fuss from what I read in relation to OpenVPN, both on code.google.com pages and various OpenVPN forums/comment feeds. Even some app developers on Google Play have been burned by the very company some of them work side by side with. It doesn't look like Google gives a toss for OpenVPN compatibility. I wanted to keep 4.4.3, so I set up my phone to dual boot and made the 2nd ROM a 4.4.2, which loves OpenVPN for Android... sorry for the posts!

Yeah this is true.... but yesterday Arne Schwabe send out a new version of OpenVPN (for rooted phones) that apparently fix this problem?!? I can't check this out since I'm running "ARHD71.1 ROM" and it comes it OpenVPN support

May I jump into this discussion?I see your problems with Android here and let me tell you it is basically THE topic that kept me most busy when it comes to OpenVPN. I spent days racking my brain and I tried everything in my (and others) book to get a perfect solution. tl;dr: There is none. Even hacking around the system files doesn't help much and as long as you don't rewrite some Android parts from scratch it's easier to use what the awesome open source community gave us already.Following my suggestion both gives you a perfectly fine working OpenVPN experience plus a "as safe as it gets with Android" environment on your phone.

One warning though: I won't go into much detail why I suggest the following as it would tage ages to explain.

But let me get to the facts:

Don't use any Android version after 4.2.2! tbh: Use EXACTLY 4.2.2 and nothing else! This also applies to Cyanogenmod! Use CM version 10.1.3 Stable as it is Android 4.2.2. Why you might ask? Because the versions after that have ways to circumvent leak protections like AFWall+ and other nasty stuff concerning available and preferred Crypto parameters. Also the way DNS is handled literally fucks up any reasonable attempt to prevent DNS-Leaks properly on the long run.

Use Arne Schwabes OpenVPN for Android. Grab it on F-Droid. I heard other clients might work as well but Arne does it right. So no experiments.

Use AFWall+ (grab it on F-Droid), activate IPv6 support (to block it!), activate VPN support and the block everything on every network but OpenVPN and VPN-Services. Also activate VPN at "all applications". There you go: Leakblock made easy. (Thx to acid1c)

Install XPosed Framework and install XPrivacy.

And lets be honest here: If you are really serious about not leaking your identity and data to the outside --> DON'T INSTALL GAPPS! PERIOD! If you want PlayStore Apps use Android in a VM and export the APKs or download via APK Downloader. If that's "too uncomfortable" then well... Buy an iPhone, clear your mind from any concerns about privacy and security and enjoy your comfortable stay at the walled garden.

Cheers, took your advice and went back to a 4.2.2 ROM. I really dig it to be honest. It's cool! I even find OpenVPN connects much quicker, woo hoo!Tell ya' what... I was blown away when I first saw XPrivacy kick in, thought to myself wtf is this?! Strength beyond strength! I also love the fake mods it can provide in regards to User Agent.I have made use of some APK Downloader sites since it was mentioned in your post. Thoroughly useful and thanks once again, DesuGuest lmao...

In regards to Also activate VPN at "all applications". On its face, it's worth activating to force everything through the VPN. My thought on this is, rather block access than allow access? For example, in the firewall log, crap pops up left right and center. I'd rather see things being blocked than allowing it through the VPN for the sole reason it is a secure path. I'm not saying take this as gospel, but would like your opinion if possible.

you could hand code, line by line, the perfect unpenitrable OS for you phone, and it wouldn't make a god dam bit of difference- because the easily hackable (using <1.4k$ usd equipment) baseband will turn over complete control of your phone to anyone with the knowlege and equipment to do so.

Let's see if I get cold sweats breaking going cold turkey on GAPPS, thanks for the recomendation much appreciated.

Same... haven't had GAPPS installed for 3 days now (whether it be full, core or bare-bone)... been abusing the apkleecher website a bit... mind you after I set apps up previously, I'd backup and uninstall them as a precaution. Now, nothing! Although, I did notice when I had the CPU info selected to load on my screen, that com.google.android.gapps popped up once. So I am left wondering...

This shows how considerate our friends at CryptoStorm are! Good thinking but I can give an all-clear signal on this source: It's provided by the maker himself, Arne Schwabe. I grabbed the link from his own google-code page so it should be more than fine.

Glad I was able help some folks out with that even though the whole post was very rushed.

PS: I forgot another great XPosed Module --> Auto VPN Dialog Confirm. It helps you get rid of the annoying "do you trust this VPN?" dialog. With this you can create a 100% automatic VPN environment if you also tell Arne Schwabes OpenVPN that it should connect at startup and on network change.

marzametal wrote:In regards to Also activate VPN at "all applications". On its face, it's worth activating to force everything through the VPN. My thought on this is, rather block access than allow access? For example, in the firewall log, crap pops up left right and center. I'd rather see things being blocked than allowing it through the VPN for the sole reason it is a secure path. I'm not saying take this as gospel, but would like your opinion if possible.

Well... This heavily depends on how you handle security on your phone. I use AFWall+ as a simple leakblock that I set up and "forget". I very rarely open it up; mostly when a new version got released to check on new options.I like to manage all my security at one place and this is the XPrivacy module. I can block internet access there as well and do this actively. My default settings are to block everything by default (even the red system permissions) and then allow individual permissions as they are actually needed for the app to work. (emphasis on "actually"! Not what it requests! )But that is just how I do things.

You could very well do a different approach in managing different things at different places. You could also use AFWall+ as a second line of defense for the very unpleasant case that XPrivacy for some reason fails to block internet access. So yes: Your approach is very reasonable. Just be careful with the system services. There may be cases where you want to block some of those but this should only be done by people who very well know what the individual system services do.

As to your gapps incident... There still are (and always will be) some resources with google in their name if you use an android based rom but gapps should not be there. The only explanation I have is that some app requested access to it not knowing that it doesn't reside on your phone.

But anyways: Always glad to see that people actually care and get rid of GAPPs and the Google Services Framework! You really rarely (or never) need those as you can grab your Apps anyways. With it all security efforts are pretty useless in my opinion.

So this is for rooted devices? How about non rooted? My new tablet isn't rooted yet. I used to be able to connect on this tablet but since buying a new token I can't connect any more. I started from the beginning and still get "Auth failed" every time. I even reinstalled the OpenVPN app. Any suggestions?

Since this tutorial has the old cert's and the old OVPN settings from the very first conf's that got to see the light of day, it's more them possible that something got broken on the way, so.... I'm making new conf's for this OpenVPN Android app, specific for the most current cert's and conf's.

And BTW, it works with non rooted phones, but I've found out that some "branded" android versions doesn't allow OpenVPN to make their magic, for example with my non-rooted HTC M8 (also in my M7 ) I've got it working in a heart beat, with my wife's non rooted Samsung Galaxy S5 no such luck, at first the app crashed, them after several re-install I got to the import config file part and it crashed, but got to add the conf to the profiles page (??) but wen I try to connect it just doesn't work saying something about "... severe damage to your device" I've already sent a but report to the man in charge of producing this amazing app, let's see what he have to say

Tealc wrote:Since this tutorial has the old cert's and the old OVPN settings from the very first conf's that got to see the light of day, it's more them possible that something got broken on the way, so.... I'm making new conf's for this OpenVPN Android app, specific for the most current cert's and conf's.

Thank you Tealc, very much appreciated. Will the new confs be in the same place when they're ready?

Has anyone noticed a new entry in the OpenVPN for Android log?When the VPN profile is clicked, and it begins to load... I see an entry called "Initializing Google Breakpad".It seems to be a crash reporting system, copied/borrows/lent from Mozilla Firefox/Google Chrome's Crash Reporter. Just wondering if the latest stable OfA has it, or Arnie includes it just on beta's...

Tealc wrote:Since this tutorial has the old cert's and the old OVPN settings from the very first conf's that got to see the light of day, it's more them possible that something got broken on the way, so.... I'm making new conf's for this OpenVPN Android app, specific for the most current cert's and conf's.

Thank you Tealc, very much appreciated. Will the new confs be in the same place when they're ready?

So everything updated... this time there are all the "exit nodes" available, if you find some kind of error let me know.

BTW to everyone that's going to check the config file BEFORE using, YES I've removed the hostname of the "exit node" and left only the IP, I actually don't know why, but I've got a bunch of errors with the hostname in place. If you do not want this, just change it back to the hostname

marzametal wrote:Has anyone noticed a new entry in the OpenVPN for Android log?When the VPN profile is clicked, and it begins to load... I see an entry called "Initializing Google Breakpad".It seems to be a crash reporting system, copied/borrows/lent from Mozilla Firefox/Google Chrome's Crash Reporter. Just wondering if the latest stable OfA has it, or Arnie includes it just on beta's...

Which beta version are you running? Because, the OLD Android OVPN config's where for the 0.6.11 stable,this ones will only work with 0.6.17 stable or bigger

marzametal wrote:Has anyone noticed a new entry in the OpenVPN for Android log?When the VPN profile is clicked, and it begins to load... I see an entry called "Initializing Google Breakpad".It seems to be a crash reporting system, copied/borrows/lent from Mozilla Firefox/Google Chrome's Crash Reporter. Just wondering if the latest stable OfA has it, or Arnie includes it just on beta's...

Which beta version are you running? Because, the OLD Android OVPN config's where for the 0.6.11 stable,this ones will only work with 0.6.17 stable or bigger

Yeah, I was on 0.6.15 when I saw the Google Breakpad stuff pop up... so jumped to 0.6.17, been about a week or so since the upgrade.Ahhh, I see the step I missed. It wasn't enough to just upgrade to 0.6.17. I have to also upgrade the config file too... small request, can you add a little line at the beginning of the first post to indicate when it was last updated, instead of relying solely on the update dates inside it?

Recently I upgraded to a 4.4.4 ROM and am currently using the standard configs posted in the op. Things at first work great then I start getting the attached error messages over and over again. I'm using a token I purchased in April for one year so I know its not that, and it connects fine to begin with. Just after a while it starts disconnecting and erroring out with the auth failure messages. Any ideas here? I saw some comments above that 4.4.2+ have issues with openvpn, that still the case now?

OpenVPN works fine on 4.4.4, provided you are using the latest OpenVPN for Android build... The latest stable is .6.17, although I just noticed there is a beta (up to you). You can download it from here Full List of OpenVPN for Android releases

May I ask what ROM you are using? I am using SlimSaber 4.4.4

The errors also might have to do with the recent disruptions on the UNSAE exit node. I had to resort to Onyx and haven't looked back. Do you get the errors on other cluster choices?

Jarmer wrote:Recently I upgraded to a 4.4.4 ROM and am currently using the standard configs posted in the op. Things at first work great then I start getting the attached error messages over and over again. I'm using a token I purchased in April for one year so I know its not that, and it connects fine to begin with. Just after a while it starts disconnecting and erroring out with the auth failure messages. Any ideas here? I saw some comments above that 4.4.2+ have issues with openvpn, that still the case now?

What's your OpenVPN version? You should only use the 0.6.17 or up, anything older will give several bizarre errors.All versions of Android now work fine, no problems even with 4.4.2

Which exit node are you using? This auth error get's reproduced in others exit nodes?

VirtuosicVagabond wrote:So what's the difference between the .ovpn file you posted and the .conf file posted in that other thread?

If you open with a text editor both of them you will see that there are a LOT a differences, the main configuration parameters in my ovpn file are the same has the recommended by Staff from the 1.4 version.

Actually the main differences are:

1) I don't use FQDN to try to connect to the server (be warned that this isn't recommended by Staff), the main purpose of putting only the naked IP is that many devices, and it doesn't matter what version of Android you're running, have some problems trying to figure out the FQDN and tend to leak the real IP address to 3rd party for the dns resolve of the FQDN.It's been documented here in the forum that you can fix the dns resolve problem of sending the real ip address before connecting to CS with ipblock or AFwall+ or something like this, but has you can figure we would need a lot more work to do that, it's simple and easier to put the naked IP, just sayinging .Just a small remark, if you use a naked IP, if that server is down or something there will be no dynamic balancing of your connection to another server and that could be a potential security risk?!

2) Since the beginning of my involvement in CS the "main ovpn file" used with RAW linux connections wasn't really accepted in a lot of the configuration parameters by the default ovpn android app, I know that since then the parameters have change and the normal 1.4 conf CS ovpn file can be imported to the ovpn android app without critical errors, but still with some.

You know, this comes down to your choice, my config files for android are here for everyone see and test, there are no hidden parameters (is that even possible?) and they are hassle free, they just work out-of-the-box (or owncloud )

Well, I have problems with running it on my mobile phones... I have tried on Nexus4 (CM 11-stable) and OnePlus One (CM 12.1-Nightly). On both phones I have the same behaviour:OpenVPN connects, authenticates, connection is established. And few seconds later:

Curious; why don't we use the official OVPN app? I read through part of the thread, but saw no mention of it, other than to use the app from Arne Schwabe

---------------------------------------------------------------------------------------------------You derive personal satisfaction from the continued existence of the near perfect day-night cycles of the hyper cube.....

► Show Spoiler

Hidden Content

This board requires you to be registered and logged-in to view hidden content.

abadonna wrote:Well, I have problems with running it on my mobile phones... I have tried on Nexus4 (CM 11-stable) and OnePlus One (CM 12.1-Nightly). On both phones I have the same behaviour:OpenVPN connects, authenticates, connection is established. And few seconds later:

I'm having a similar issue on an HTC J Butterfly running Android 4.1.1 It's vendor modified version I'm sure, not pure stock Android, but attempting to connect with OpenVPN as per this tutorial seems to connect successfully, then disconnects, then reconnects, then disconnects, etc etc.

Even when the device is in a connected state, it doesn't receive any data. It seems to send, but nothing comes back. I've tried with both Singapore and Cryptofree and both give the same result.

I don't know if this'd be the same problem with OpenVPN or something completely different, but not being able to Cryptostorm on my phone is, like, bumming me out dude

jlg wrote:Tealc's owncloud at the top of this page is currently down/offline. He needs to physically get to the server to get it back up and is currently on vacation. This will be fixed within a week or so.

[Help] I cannot seem to get Cryptofree Android working. Tried Tealc's cryptofree.but no internet.for me strange, It says connection "success" but I got no data coming "in" on network monitor. Data going out seems ok. So cant even browse. Arnes OpenVPn says "WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1606', remote='link-mtu 1602'" I am on Lollipop 5.1, rooted. Any advice please? what am I doing wrong? I would like to get this free one able to working on my android before I next step buy token for non-free.

Can you post here the complete log of the openvpn connection status?Just print screen the "bitch", the link mtu has nothing to do with it Btw do you have any kind of those "Internet Protection Suite" like "Panda Antivirus PRO"?

Tealc

col883 wrote:[Help] I cannot seem to get Cryptofree Android working. Tried Tealc's cryptofree.but no internet.for me strange, It says connection "success" but I got no data coming "in" on network monitor. Data going out seems ok. So cant even browse. Arnes OpenVPn says "WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1606', remote='link-mtu 1602'" I am on Lollipop 5.1, rooted. Any advice please? what am I doing wrong? I would like to get this free one able to working on my android before I next step buy token for non-free.

hi TealcThanks for replying. i don't use any antivirus at all. i remember on my old phone the android cryptofree worked but i haven't been able to get it work for ages anymore. i tried the cryptofree ovpn from your git and Tealc's ovpn and always same says connection success but not data coming in. just network monitor shows data going out. no panda installed . here is copy of log. I tried remove all personal info. you might want to recheck if i did:log from Arnes OpenVPn :

Hi there everyone, it seams that Android 5.0.1+ has problems with setting up routes that are pushed by the OpenVPN app, currently no OpenVPN app works, no matter what conf file or version of it you use.

I've already contacted Arne Schwabe and I'm waiting for some news about this problem.

Actually if we google the words "Android 5.1.1 OpenVPN" everyone can see that this is a well spoken subject.

Stay tuned on this topic (use "Notify me when a reply is posted") for more info

EDIT 01/03/2016: It appears that the problem isn't reproduce by everyone, and it currently afects mostly people with non-rooted devices, in my wife non-rooted Sony Z3 it doesn't work, in mine rooted it does work.Tealc